Information disclosure access bypass for revision log fields when the JSON:API module is enabled

Problem/Motivation

This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue

Core's node module has an access bypass/information disclosure vulnerability when used with the JSON:API module

Although "revision_log" field is configured as a publicly visible field, "revision_log" is more of an admin field and its value might be deemed as private.

This is where field access is being checked:
https://git.drupalcode.org/project/drupal/-/blob/10.1.x/core/modules/nod...

This issue occurs for any content entity with a revision log field

Steps to reproduce

You can see this vulnerability by:

1. Enabling the JSON:API module
2. As an anonymous user open JSON:API route to any node (eg. /jsonapi/node/article)
3. Response contains value of "revision_log" (see screenshot)

Proposed resolution

Limit access to view revision log to those who can edit the entity.

Remaining tasks

Get the JSON:API tests passing.

Workaround
If you have a site impacted by this, you can limit the exposed fields via json api extras module or implement hook_entity_field_access to prevent this field being exposed.

User interface changes

API changes

Data model changes

Release notes snippet